# 51180 sc medium function is vulnerable to gas griefing **Submitted on Jul 31st 2025 at 19:05:05 UTC by @PotEater for** [**Attackathon | Plume Network**](https://immunefi.com/audit-competition/plume-network) * **Report ID:** #51180 * **Report Type:** Smart Contract * **Report severity:** Medium * **Target:** * **Impacts:** * Theft of gas ## Description ### Brief / Intro In the `Spin.sol` contract, the function `handleRandomness` contains a gas griefing attack vector due to an arbitrary external call (via a low-level call) that can trigger a malicious recipient's fallback/receive logic. ### Vulnerability Details `handleRandomness` is intended to be called by the supra router to provide the random number and determine the reward. However, when certain reward categories are chosen the contract calls `_safeTransferPlume(user, rewardAmount * 1 ether);` which ultimately performs a low-level call to the user's address. Because this calls an arbitrary address, the recipient can execute arbitrary code in their `receive`/fallback function. Code snippet: ```solidity if ( keccak256(bytes(rewardCategory)) == keccak256("Jackpot") || keccak256(bytes(rewardCategory)) == keccak256("Plume Token") ) { _safeTransferPlume(user, rewardAmount * 1 ether); } ``` A malicious recipient can include gas-heavy computations in their fallback/receive to cause excessive gas consumption when the supra router triggers `handleRandomness`, resulting in the supra router paying for that gas — effectively a theft of gas. ### Impact Details The supra router (the caller) must pay for any gas consumed during the external call. A malicious recipient can deliberately consume large amounts of gas in their fallback/receive, causing direct loss of funds for the supra router. This is a classic gas-griefing scenario. ### References ## Proof of Concept {% stepper %} {% step %} ### Step User requests a spin by calling `startSpin`. {% endstep %} {% step %} ### Step Supra router calls `handleRandomness` to provide the random number and determine the reward. {% endstep %} {% step %} ### Step The reward category for the user is "Plume Token" or "Jackpot", so `handleRandomness` invokes `_safeTransferPlume`, which performs a low-level call to the user's address. {% endstep %} {% step %} ### Step The user-controlled address has a malicious `receive` or fallback function that performs gas-heavy computations. When called, this consumes excessive gas, which the supra router must pay — resulting in theft of gas. {% endstep %} {% endstepper %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/plume-or-attackathon/51180-sc-medium-function-is-vulnerable-to-gas-griefing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.